ramnit | e51bac091a171091098a61a2706c410ff7896d04f1f82bcec6c8b42447544805

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
Size

50.6MB
MD5

698020a6be072ea51b7d567211d9e7b3
SHA1

450806dfd7417595acae53348facaefe9e59ad84
SHA256

e51bac091a171091098a61a2706c410ff7896d04f1f82bcec6c8b42447544805
SHA512

b3e42c904f0c7ca1da8b5ac34b50b750457870f244209847496b435080874bb0d0de5ac2f8544621838b6038600aeac084ade9a45720df9d27afcb129c8199ad
SSDEEP

1572864:Q+EAwSRiSpQ9tig0IkEdQvWEO6/iSJCkvfh7D2KuI:3wMCXiek7uEogh7D2A

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 8 IoCs

Processes:

698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe

pid	process
2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2904	DesktopLayer.exe
2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2528	DesktopLayer.exe
2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
776	DesktopLayer.exe
2240	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2984	DesktopLayer.exe

Loads dropped DLL 30 IoCs

Processes:

698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exeDesktopLayer.exe

pid	process
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2904	DesktopLayer.exe
2904	DesktopLayer.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2528	DesktopLayer.exe
2528	DesktopLayer.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2240	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2240	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2240	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	upx
behavioral1/memory/1964-9-0x0000000000320000-0x000000000034E000-memory.dmp	upx
behavioral1/memory/2344-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nst21D5.tmp\nsRandom.dll	upx
behavioral1/memory/1964-31-0x0000000000320000-0x0000000000341000-memory.dmp	upx
behavioral1/memory/2904-38-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1964-83-0x0000000000320000-0x000000000034E000-memory.dmp	upx
behavioral1/memory/2864-76-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2984-157-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1964-644-0x00000000003D0000-0x00000000003FE000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

Processes:

698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px230B.tmp	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2202.tmp	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2443.tmp	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px226F.tmp	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{502506D1-18AF-11EF-83FC-5267BFD3BAD1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5024DFC1-18AF-11EF-83FC-5267BFD3BAD1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422594539"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

DesktopLayer.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2904	DesktopLayer.exe
2528	DesktopLayer.exe
2528	DesktopLayer.exe
2528	DesktopLayer.exe
2528	DesktopLayer.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
776	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe
2984	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

2432 iexplore.exe
2536 iexplore.exe
2432 iexplore.exe
2004 iexplore.exe

pid	process
2432	iexplore.exe
2536	iexplore.exe
2432	iexplore.exe
2004	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
2536	iexplore.exe
2536	iexplore.exe
2432	iexplore.exe
2432	iexplore.exe
2432	iexplore.exe
2432	iexplore.exe
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
500	IEXPLORE.EXE
500	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE
2296	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2344	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2344 wrote to memory of 2904	2344	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2904 wrote to memory of 2536	2904	DesktopLayer.exe	iexplore.exe
PID 2904 wrote to memory of 2536	2904	DesktopLayer.exe	iexplore.exe
PID 2904 wrote to memory of 2536	2904	DesktopLayer.exe	iexplore.exe
PID 2904 wrote to memory of 2536	2904	DesktopLayer.exe	iexplore.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2564	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2528	2564	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2528 wrote to memory of 2432	2528	DesktopLayer.exe	iexplore.exe
PID 2528 wrote to memory of 2432	2528	DesktopLayer.exe	iexplore.exe
PID 2528 wrote to memory of 2432	2528	DesktopLayer.exe	iexplore.exe
PID 2528 wrote to memory of 2432	2528	DesktopLayer.exe	iexplore.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 1964 wrote to memory of 2864	1964	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 2864 wrote to memory of 776	2864	698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe	DesktopLayer.exe
PID 776 wrote to memory of 2004	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 2004	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 2004	776	DesktopLayer.exe	iexplore.exe
PID 776 wrote to memory of 2004	776	DesktopLayer.exe	iexplore.exe
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2536 wrote to memory of 500	2536	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 1896	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 1896	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 1896	2432	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2344

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:500

C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2564

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:340993 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:340999 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2864

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
C:\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2240

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b30bb662f8246c0a81f9ae8009ab0c7c

SHA1
57e400f662e000c2a6f2823144c7a88a48f35d73

SHA256
c6714781f1970cdfb83bb49e6e98adb1b2039df5e5ab5a146eba6747c37ea899

SHA512
e60dce147a2eeac612fa2d1b04df7176b6a10c78e8838a8da8a0470008bb1b9142f615418e8070e521622dd5daa7acdd3d1aa0131bbefab8bda2f5ca5a02349e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
acb3d30f373216c71593392da68ddc39

SHA1
04506b69576a63d12f13c45dde4b14f94e229fab

SHA256
b51d9db138f5eb6f4e96bed5fc243ee142de0ce58f805690692b65095decda25

SHA512
071e33fb0edf430ece43d82cf2ea13a2943ab6b49033a9462bc77d1b56df01ef867c9dc748174912a05c169f3aa86bb56ac4d389b8d23cb0e1e741c731c5328a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
39e855fc87dc2be362530f6e6b54c509

SHA1
c3fad10f685238f66146280904ecf732545cfe42

SHA256
c8f2f6deb3b36ff6c984dc77704aa9fbb49ae7f989cde812b42a10507ba92f57

SHA512
ed449ed816a5202586b64effe799ea636166ab1c9a1bba0c44f64372760e524e26a9f2f8a2faf9c83f7873f0852508c6075dc4952f3df51da0ef96c06a0ccdc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2d1d697dde51fbc4394d15a40c5bb678

SHA1
bb531efebc83dbad98bc3ca1010189092bd1d25d

SHA256
81b78a6411a7c267630f9101453082a3765b9a6e910139c4a958a01a35b76914

SHA512
651b7d9e84de89fe43ad901015822d7dbb7c2fd933584a55bb729a39083f09d27c4cdc39b4984792297ad0cf095ffdef47f4b50011de68fb898c8c749a8c32c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
405872bd7c801fb594a7a82d2664561b

SHA1
92ce261d95439dcc5bfdaaa08400b1de2884ff62

SHA256
0683060ce11ddfe8b949663286679cb065de26c848110976d9441e4e4ae472a4

SHA512
39db13762c98680ec4d79feb736401749d5795956c78fd8f83554c748be8b6f2741528912c21c57f74af36f4d2520efa857478b916c6aba1996e20fa2e7484c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a292db577008ae83302eca6d9a79df00

SHA1
a7e75e3f30197c899f37c2efa1261d332059951d

SHA256
3ddd6802cbcf2752dcbdbf41dfdfaf573dc77280bd5f9909a1c78d19006a2e42

SHA512
50270271b08f829b416e7cd881e3c60aad9ce745f96f3b45f2545cc8dc4f1e4fe6f00ae14b6104d5d6456874a3a4895a2e7d0a105667fb46d551364a09fc0643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ec60c470a650831e80b459ab4a33351

SHA1
35e2e3b854ebb8a778cb57113d2fbff6903ab42b

SHA256
0923ac1e8e72fe753e9aea0be64d6729eff9c3126d3be13f2a05bca76a9e59cf

SHA512
f7904465c3c0781453d2bba44d67159b85831f5f69af357a42f0788e8d1026c8e90308ae654be4f522245391a9ba26161812e093aa38a338d6bdb6db3e003393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
383c953292fda2371ca79d6130f72452

SHA1
663724d4eba21e4cf6aec944da8eb26f5e421aab

SHA256
a1f71895330193618e83c1b8a6553efbd51906ecc1b05ad2aabd011a6d3a3dc0

SHA512
ad134e74859eaa7af96e346e6ea39c7ad455fb77c7007e2d8b3524a1a52bb988ea749ee0860cace141e0b9b88471c1ad0e62b8fa6bae0cbb0f6571922784f73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b46064bcd4f99c76599504d907c38549

SHA1
768b6ac2a5622aba496baa2b33e912e752b49bb5

SHA256
ae81dee9e3c8ed90aeb227274293661f7341f86f9d6122144d06b323175b8d9a

SHA512
21a412f00967552b10e41d7bd981b53e5f55a3f23e8d719869ad58444f3cb78910105eedd605938dfcc4ffb2178fe892b643612213c187b8aa527b8592990cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1b0eeca9c652b5d80ac85e6a2fd2f8ab

SHA1
b99358bde6cfaa7d452adbdbca39d5ace61a31ad

SHA256
4920bd9f1260d54592a9306d96ae2a27ab2fa9c8f48dc585c92551205321bc67

SHA512
dd09d4b4c1648d8bfcce3253fb8b947b41b4ec510afd02ca9de3203cecfaa7169a114a895e7d41f4ba3751da8397c0ed4e9ca7fc651584ad43f76109ed83dec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1b0f63446a773e091d83cb8fc9e42b8b

SHA1
2ed06641cf5b656f9eeb677bcfc12c39b453137a

SHA256
01246580e4fb04877fabf7231580ee8d60877300915b956775c63fc917e69312

SHA512
e8f6f08a128ea6a7c4660173848e259618ad360672d8e3278a9b58155057dddb6e9c8f82c7fb071ba359fa5ad512a840782648591a136f674357389973ba8235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
533aab247689c6b2d589ff679006dd99

SHA1
24dfd26e5f4b4cac9cfbfcbfd24be054d41abac3

SHA256
f1dbb70d3cf05dd2a4de19816da5eec58f057a3b3b6073e7357d6775069cff3f

SHA512
117debc5f0ac0b66cf32bad5b515bf696ff8de72204a01e2e5355abed7e352cacada9058454bacfd59c6298d112f21678a55536cfd8152a4fb3a4a1b6f16ec8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e8d1cad6bc08ccc00ed38b6fb1024b72

SHA1
252ffa75c365064052000c570a410429762f6632

SHA256
ee4de1eb4d8ad90e00dd70664b733160496bc6100c1211e30c2ff35a4848baa4

SHA512
369dadb26a5a3b5d67a1794472ba76b815859683df02999ad42945047ef3a54054198b1c828f926b3bc5c77907c0fe7ddf1cbf54bab947ffcef59df9df7c251e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6e22a117a4219aeefa287433287f2008

SHA1
5236d3224c88d769040aa14e1525076c622b4220

SHA256
d358e9b27cc52c02d2328ec86d04332a54e37b5d9e9a1a44a27b8b4a58fedd9b

SHA512
50a19eddfd408fdea857cde16b34177c2f09a8f73a0016741cc39610b214e3c4406d90ad3c42c430616d2611970afcaf0f4e5c4cde094d88df7176dd52711afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73bd17a1e21ee1feadfe6b5dcfe0afd8

SHA1
e3bed597a556b3f0ee76b8db6dfad2e5ea472532

SHA256
1513517b0f6f72f5f8317fc5ef560351555596af5992682820c85ca68c0df69d

SHA512
e7b306158dfc1ded05c0f1c96ee312990e43a6f5aa53b4a02b5e8f3b45d627cd7179edc1c545456958f55b7abff9c81055b0e98e0411cca90fe6fef0dac92a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2896d9c9594b0ce690b32296f41f9e80

SHA1
d87649a9b95fd091cca42391a0a9a2cce86af5eb

SHA256
519c58802ad71de90f3c9001912a333849987f7bcdaeb617e712c1fc4267f711

SHA512
791a97dd50b34504e512c04a38596f4fd06b537123f860f8fb7f61e48644c4e12c43d64a23766d4a084b16580fb0151bb0b8a769a65e1468756effdf49bddffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
56ee94821337c5ad88485707e044666c

SHA1
5886f0815f511e6d982e45c4cc103f27c7f2a9b8

SHA256
7e5d53505af03ba00d82c9129558ba7843a49c4b6d34490fa3ce870bd5fc3dab

SHA512
b3be1d6ede42cbe5a3a78b4a949c8dfec81903e356603c3d7cd70acfc31969ec14155bd2190f75dd80732394b1b66bba9f1054302fa02d61ba5cc183a191e58e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0584247ba996795392b799fe4e2c768c

SHA1
fa0c82d235ba53af97a23fa313520ffbcdd57a90

SHA256
634331b440dbb833eb7b6e7238a30910e4a8eb4d0a0fa8bf1a34fd8cbb6db4dc

SHA512
d2c23ab413738312cb6cfbc2300d5379024a8dcedd82084aea555975058d5112eb1f346ccd4b68170684007cd30323a5d7859f98babc8dc00b025aa3d33c14cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5024DFC1-18AF-11EF-83FC-5267BFD3BAD1}.dat
Filesize
5KB

MD5
0797aeb9dadbe1b91beffd9b9b6b6d9b

SHA1
745995bfd295a7150be042322754f5d4eca688cf

SHA256
57c117483a87698d197a8fa7e6d76de9938c6ed9e3f4feebfbe9c6d0dda85ed0

SHA512
d22be9972edb486e5d7d9a9d97d1f95e3e2eff9dee6ee2c158f7b8d0a66545cebcc86cbba9d0481d8ec5ba938c43698810285dc568d28cf8753dcc85fca5c4be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{502506D1-18AF-11EF-83FC-5267BFD3BAD1}.dat
Filesize
5KB

MD5
382d05e19ea8b6b0ab9a92c2433a3c04

SHA1
9b0e2cb51f571f33414969e5da967b3f16b0abec

SHA256
883fa4184b94136dc069bb54cee9ceeb422cf2ef3f5efc4f99d16d48081c5876

SHA512
6b428e5c78fdd2bf630bd1993c02b05c00dbf1fcf0762e26c35db031fb6ba6e51352d6ba039d1bd1045f4e41239965c0b2581b0d7d396f7f22238f0e9e971df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{502506D1-18AF-11EF-83FC-5267BFD3BAD1}.dat
Filesize
5KB

MD5
0b4b021c95d8d3f246e4b2e1d7723c42

SHA1
a4799e8b1c9534a09a32f4d2b14e3771f03c8e9e

SHA256
cb80ace52cad18caab3b5ebe11d01ddd4169810c069435fd2d716a96c18f4cb6

SHA512
d7bbf98470e4ce1806f2a5a95c8da870f971da612a71a2fdde88f485aedb6b7a0426a4f187c26e2e202c91bbf0bf633c583184cb1a65046f9669b4fec8d60c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\419513\GMSkin_Image_2012_v1.zip
Filesize
388KB

MD5
a1bc3b1cfbc2bca222149f1c8e035fa9

SHA1
3b83e21d38de489bd1aa4e875a3c98f58095ac8c

SHA256
f3d7906579bafe366da8f1779a34a103412fb1122cc38951ab2173bd3d6289fd

SHA512
d8bae9cf73ef484b10b84c386b7b311be5f5a07b2c38808d64fffa695fda7bff35b24797c179030a5a5ad30883ee4212236c40fb1020dbc0f6350f86ab7b4572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A74.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B65.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst21D5.tmp\MyNsisExtend.dll
Filesize
596KB

MD5
37e4e1ab9aee0596c2fa5888357a63b0

SHA1
a5dba8c0a1bd936dca2b6a81f2dc9a3005f1a2b6

SHA256
ff4b245fea98cedd881ca102468623a449a0b40df0c557dd8a6ea32e788d56fe

SHA512
5cbab2872683079c6cc09423a2baf7107b5ac5731f336cd237fa93a4a4ee53a127963dc0ec0dbc6168b9b3d2c3a881c7663ce4ecd84d964628dd566395d49bb3

Download Submit
\Users\Admin\AppData\Local\Temp\419513\MyNsisSkin.dll
Filesize
384KB

MD5
a6039ed51a4c143794345b29f5f09c64

SHA1
ef08cb5dfa598d9d5b43b8af49f54b2c7dac00d4

SHA256
95ae945504972cadcf2ccfb2b3d02ea8cade3ee53f2f2082e8b40b61f660877a

SHA512
0ed3d0c070bfd91e2355aec5a30ad5cbaf6949c965af5e0ee1ecf2edd5f5aeba3819b4667a0301f8b52c8fd56d3bae35fa4f77063d56c8f89055784d0c0a30a8

Download Submit
\Users\Admin\AppData\Local\Temp\698020a6be072ea51b7d567211d9e7b3_JaffaCakes118Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\nst21D5.tmp\ButtonEvent.dll
Filesize
4KB

MD5
fad9d09fc0267e8513b8628e767b2604

SHA1
bea76a7621c07b30ed90bedef4d608a5b9e15300

SHA256
5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

SHA512
b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

Download Submit
\Users\Admin\AppData\Local\Temp\nst21D5.tmp\System.dll
Filesize
67KB

MD5
bd05feb8825b15dcdd9100d478f04e17

SHA1
a67d82be96a439ce1c5400740da5c528f7f550e0

SHA256
4972cca9555b7e5dcb6feef63605305193835ea63f343df78902bbcd432ba496

SHA512
67f1894c79bbcef4c7fedd91e33ec48617d5d34c2d9ebcd700c935b7fe1b08971d4c68a71d5281abac97e62d6b8c8f318cc6ff15ea210ddcf21ff04a9e5a7f95

Download Submit
\Users\Admin\AppData\Local\Temp\nst21D5.tmp\nsDialogs.dll
Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nst21D5.tmp\nsRandom.dll
Filesize
77KB

MD5
d86b2899f423931131b696ff659aa7ed

SHA1
007ca98f5d7921fe26fb9b8bd8a822dd5ae09ed6

SHA256
8935cba8e9b276daa357a809e0eca3bebf3fdc6d0d3466ab37fb2cbbfacd3a94

SHA512
9a4437ab484e4e22597c642d21b0107a063a208a582df3a5bf276466ad8d0ba9aeebac6de8dcf1372939984bb187d58e94c799918cfbe80e85c958bf0a537fc7

Download Submit
memory/776-109-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/776-118-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1964-81-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1964-644-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1964-153-0x0000000001EE0000-0x0000000001F42000-memory.dmp

Filesize
392KB

Download
memory/1964-9-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1964-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1964-83-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1964-168-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1964-31-0x0000000000320000-0x0000000000341000-memory.dmp

Filesize
132KB

Download
memory/1964-127-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/1964-120-0x0000000002A90000-0x0000000002B2A000-memory.dmp

Filesize
616KB

Download
memory/1964-74-0x0000000000320000-0x000000000034E000-memory.dmp

Filesize
184KB

Download
memory/1964-58-0x0000000001EE0000-0x0000000001F42000-memory.dmp

Filesize
392KB

Download
memory/1964-643-0x0000000002A90000-0x0000000002B2A000-memory.dmp

Filesize
616KB

Download
memory/2240-138-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/2344-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2864-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2864-85-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/2904-32-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2904-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2904-35-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2984-645-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-152-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2984-157-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2984-155-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download
memory/2984-154-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download